Disaster Recovery and Validation Fears Have a Remedy: The Cloud

There are many measures proactive people take to prepare for potential disasters. Buying homeowner’s insurance, packing emergency “bug-out” bags, and storing viable supplies of shelf-stable foods are just a few common examples of preparedness contingencies. As recent events have shown, a lack of preparedness during a state of panic can lead to shortages of necessities like gasoline, hand sanitizer, and even toilet paper. To avoid similar distresses and business disruptions when outages occur in the systems that store and connect data, companies need their own disaster recovery and business continuity plans. Every business expects the best outcomes but must be prepared for the worst.

The data we generate, collect, and store is the fuel that propels our businesses. But the systems we use to retain and connect that data are all susceptible to outages and downtime caused by catastrophic events, whether they are natural disasters (like a storm that knocks out a power grid or a fire that destroys paper files kept in a storage facility) or man-made disasters (like malware or ransomware attacks). Regardless of a disaster’s source, its consequences can be catastrophic. Disaster-caused server downtime can cost a company anywhere from $10,000 to more than $5 million per hour, depending upon the size of your organization. (¹) Your business’ ability to recover from a disaster could be the key to its survival.

4 Fundamental Steps of Disaster Recovery

Recovering from a disaster involves a sequence of four critical measures:

1. Identifying the incident.
2. Quarantining the affected systems.
3. Performing a risk review of potential losses vs. the last “known good” status.
4. Restoring the system to normal operations.

Even if you know the actions to take, however, bouncing back from a catastrophe doesn’t just happen. It takes planning. A formal disaster recovery plan (DRP) should be the cornerstone your business relies on as it attempts to restore the operability of systems, applications, and facilities after a major and/or catastrophic event. The general attributes of a DRP typically include:

• The definition of safety actions needed to protect company data, assets, equipment, and personnel.
• A concerted focus on deploying technology, implementing equipment, and doing periodic testing in preparation for the recovery of systems after a disaster.
• The specification of backup and recovery methods and processes that will be implemented, which may include:
• Offsite recovery (in cases where a lost location must be rebuilt).
• Lost server room or data center recovery.
• Lost business-critical operation recovery.

It is essential to note that a DRP, while vital, is not sufficient on its own. A business continuity plan, the counterpart to the DRP, is also crucial for defining the critical risks and actions necessary to support the continuation of operations during and after an outage. Business continuity and the importance of integrating it with your quality management system is addressed here.

The Impact of Disasters on Validated Systems

Whenever a company that does business in regulatory environments makes a change to a computer system — especially if that change is the result of a disastrous event — there is always cause for concern about the impact of the change on the system’s validated state. This is especially true of companies in life sciences industries, who are subject to an array of good manufacturing practice (GMP), good laboratory practice (GLP), good clinical practice (GCP), and similar “GxP” regulatory guidelines. As such, the compliance of their validated systems is contingent on the development and ongoing maintenance of manufacturing disaster recovery, GCP disaster recovery, or other modality of disaster recovery plan that is appropriate to the types of data managed in their business-critical computerized systems that require validation.

While there is no such thing as a solution that provides “backup validation,” a robust cloud-based system can ensure that system downtime, inaccessibility, or outages will not complicate validation or jeopardize regulatory compliance.

Cloud Technology: The Cure for Disaster Recovery Concerns

Not many years ago, most companies feared that any data not stored on premise might suddenly become inaccessible or susceptible to attack. As cloud computing has become the norm and the technology to support it has advanced, however, those concerns have vanished. Reliable cloud providers, such as those that utilize Amazon’s proven Simple Storage Service (S3) for data storage, can now guarantee nearly 100% system uptime. And any dependable cloud technology provider will contractually agree to acceptable disaster recovery and business continuity terms.

If you’re considering moving to a cloud-based system, first ask the provider questions such as the following to determine if the technology meets your disaster recovery needs:

• What is your process for recovering files in the event of data loss?
• In the event of a catastrophe, how much time will it take to get the system operational and data restored to the most recent full backup (i.e., what is the Recovery Point Objective (RPO) and Recovery Time Objective (RTO))? (Note that the fastest RPO that can feasibly be achieved is four hours and the fastest RTO is four hours.)
• Does the disaster recovery process include electronic file loss, electronic database record loss, data corruption, accidental overwriting of the file system, and facility utility disruption (or other need specific to your business)?
• Can you provide audit results, certification reports, statements of compliance, or other evidence of your ability to satisfy industry standard regulatory requirements for disaster recovery, data integrity, and validation (e.g., does it meet standards for cloud-specific data integrity and information security controls such as ISO 27017)?

To delve deeper into the topic and determine if a cloud-based system is the right fit for your organization, download the “Business Case for Cloud Migration” white paper.

References:

1. “Average cost per hour of enterprise server downtime worldwide in 2019,” Thomas Alsop, Statista, Dec. 7, 2020.